Semantics-aware detection of targeted attacks: a survey

Journal of Computer Virology and Hacking Techniques, May 2016

In today’s interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats or similarly sophisticated multi-stage attacks. This turns finding domain-appropriate methodologies or developing new approaches into a major research challenge. To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham’s guidelines for systematic literature reviews. In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

https://link.springer.com/content/pdf/10.1007%2Fs11416-016-0273-3.pdf

Semantics-aware detection of targeted attacks: a survey

J Comput Virol Hack Tech Semantics-aware detection of targeted attacks: a survey Robert Luh 0 Stefan Marschalek 0 Manfred Kaiser 0 Helge Janicke 0 Sebastian Schrittwieser 0 0 Faculty of Technology, De Montfort University , Gateway House 5.37, Leicester LE1 9BH , UK In today's interconnected digital world, targeted 1 Introduction attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers IT infrastructures and corporate networks are threatened by contribute to the fight against network intrusions or mali- a plethora of different attacks. Not long ago, research and cious software by proposing novel detection systems or industry almost entirely focused on the detection and preanalysis methods. However, few of these solutions have a vention of widespread malware attacks without a specific particular focus on Advanced Persistent Threats or similarly target. Signature-based detection techniques have been the sophisticated multi-stage attacks. This turns finding domain- de facto standard against this kind of threat throughout the appropriate methodologies or developing new approaches past 30 years and current virus scanners still rely primarily into a major research challenge. To overcome these obstacles, on malware signatures for detection. The fundamental idea we present a structured review of semantics-aware works that behind these techniques is founded on the assumption that have a high potential for contributing to the analysis or detec- one malicious campaign targets thousands or even millions tion of targeted attacks. We introduce a detailed literature of hosts. Once the payload or carrier has been found on one evaluation schema in addition to a highly granular model system, a generic signature or behavior pattern of the threat for article categorization. Out of 123 identified papers, 60 can be extracted and used on other systems for detection. were found to be relevant in the context of this study. The In recent years, however, a new generation of attack has selected articles are comprehensively reviewed and assessed emerged. Advanced Persistent Threats (APTs) or Advanced in accordance to Kitchenham's guidelines for systematic lit- Targeted Attacks (ATAs) can be characterized as tailored to erature reviews. In conclusion, we combine new insights and one specific entity. These types of attacks are driven by differthe status quo of current research into the concept of an ideal ent motivations and often cause significantly more damage systemic approach capable of semantically processing and than bulk attacks; often they are performed for espionage evaluating information from different observation points. or sabotage reasons and are orchestrated by experts. Several cases in recent history have shown that targeted attacks - On the espionage side, the Regin trojan is believed to have been used for global, systematic campaigns since at least 2008 [ 139 ]. Other examples include Flame [ 79 ], Mahdi [ 130 ], and Gauss [ 80 ]. These strains are currently used for cyber-espionage in Middle Eastern countries and, depending on the variant, are capable of stealing passwords and cookies, recording network traffic, keystrokes, microphone audio, and even entire Sykpe conversations [ 103 ]. ATAs and APTs are increasingly affecting less prominent targets as well. In 2013 alone, “economic espionage and theft of trade secrets cost the American economy more than $19 billion. Over the past 4 fiscal years, the number of arrests related to economic espionage and theft of trade secrets overseen by the FBI’s Economic Espionage Unit has almost doubled, indictments have more than tripled, and convictions have increased sixfold. Halfway through fiscal year 2013, the number of open investigations is running more than 30 % above the total from 4 years ago” [ 112 ]. Modern cyber-threats are no longer limited to a single malware executable but often comprise targeted, multi-stage attacks that are difficult to spot using only file- and signaturebased malware detection systems. The reason why these more conventional detection methods are less effective against ATAs is rooted in the fact that targeted attacks are tailor-made to the organization they seek to penetrate: Binary patterns of the responsible malware are unlikely to exist at the time of attack. Anti-virus (AV) products are effective in the defense against known exploit carriers or ill-considered user actions but struggle with hitherto unknown malware [ 42 ]. The rise of state-sponsored attacks poses another serious challenge as high-moneyed actors are able to invest significantly more time and effort into designing and developing hard-to-detect malware. Furthermore, government bodies may compel AV vendors to whitelist their respective espionage tools. This makes it necessary to explore novel techniques for tactical threat intelligence and malicious activity detection on multiple layers, allowing for (...truncated)


This is a preview of a remote PDF: https://link.springer.com/content/pdf/10.1007%2Fs11416-016-0273-3.pdf

Robert Luh, Stefan Marschalek, Manfred Kaiser, Helge Janicke, Sebastian Schrittwieser. Semantics-aware detection of targeted attacks: a survey, Journal of Computer Virology and Hacking Techniques, 2016, pp. 47-85, Volume 13, Issue 1, DOI: 10.1007/s11416-016-0273-3